CVE-2025-10503

MEDIUM

Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 Identity Server

Title source: cna

Description

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/

Scores

CVSS v3 6.1

EPSS 0.0017

EPSS Percentile 7.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

wso2/identity_server 7.1.0 - 7.1.0.28

WSO2/WSO2 Identity Server 7.1.0 - 7.1.0.28

Published Apr 29, 2026

Tracked Since Apr 29, 2026